research-article

Automatically Granted Permissions in Android apps: An Empirical Study on their Prevalence and on the Potential Threats for Privacy

Authors:

Paolo Calciati,

Konstantin Kuznetsov,

Alessandra Gorla,

Andreas ZellerAuthors Info & Claims

MSR '20: Proceedings of the 17th International Conference on Mining Software Repositories

Pages 114 - 124

https://doi.org/10.1145/3379597.3387469

Published: 18 September 2020 Publication History

Abstract

Developers continuously update their Android apps to keep up with competitors in the market. Such constant updates do not bother end users, since by default the Android platform automatically pushes the most recent compatible release on the device, unless there are major changes in the list of requested permissions that users have to explicitly grant. The lack of explicit user's approval for each application update, however, may lead to significant risks for the end user, as the new release may include new subtle behaviors which may be privacy-invasive. The introduction of permission groups in the Android permission model makes this problem even worse: if a user gives a single permission within a group, the application can silently request further permissions in this group with each update---without having to ask the user.

In this paper, we explain the threat that permission groups may pose for the privacy of Android users. We run an empirical study on 2,865,553 app releases, and we show that in a representative app store more than ~17% of apps request at least once in their lifetime new dangerous permissions that the operating system grants without any user's approval. Our analyses show that apps actually use over 56% of such automatically granted permissions, although most of their descriptions do not explicitly explain for what purposes. Finally, our manual inspection reveals clear abuses of apps that leak sensitive data such as user's accurate location, list of contacts, history of phone calls, and emails which are protected by permissions that the user never explicitly acknowledges.

References

[1]

K. Allix, T. F. Bissyandé, Q. Jérome, J. Klein, R. State, and Y. L. Traon. Empirical assessment of machine learning-based malware detectors for android - measuring the gap between in-the-lab and in-the-wild validation scenarios. EMSE, 21(1):183--211, 2016.

Digital Library

[2]

K. Allix, T. F. Bissyandé, J. Klein, and Y. Le Traon. AndroZoo: Collecting millions of android apps for the research community. In MSR 2016: 13th Working Conference on Mining Software Repositories, pages 468--471, 2016.

Digital Library

[3]

P. Andriotis, A. Sasse, and G. Stringhini. Permissions snapshots: Assessing users' adaptation to the android runtime permission model. In WIFS 2016: Proceedings of the 8th IEEE Workshop on Information Forensics and Security, pages 1--6, 2016.

[4]

S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel. FlowDroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In PLDI 2014: Proceedings of the ACM SIGPLAN 2014 Conference on Programming Language Design and Implementation, pages 259--269, 2014.

Digital Library

[5]

K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie. PScout: analyzing the Android permission specification. In CCS 2012: Proceedings of the 19th ACM Conference on Computer and Communications Security, pages 217--228, 2012.

Digital Library

[6]

V. Avdiienko, K. Kuznetsov, I. Rommelfanger, A. Rau, A. Gorla, and A. Zeller. Detecting behavior anomalies in graphical user interfaces. In ICSE 2017: Proceedings of the 39th International Conference on Software Engineering Companion, pages 201--203, 2017.

Digital Library

[7]

M. Backes, S. Bugiel, and E. Derr. Reliable third-party library detection in android and its security applications. In CCS 2016: Proceedings of the 23rd ACM Conference on Computer and Communications Security, pages 356--367, 2016.

Digital Library

[8]

M. Backes, S. Bugiel, E. Derr, P. McDaniel, D. Octeau, and S. Weisgerber. On demystifying the android application framework: Re-visiting android permission specification analysis. In USENIX Security: 25th USENIX Security Symposium, pages 1101--1118, 2016.

Digital Library

[9]

H. Bagheri, E. Kang, S. Malek, and D. Jackson. Detection of design flaws in the android permission protocol through bounded verification. In FM 2015: 20th International Symposium on Formal Methods, pages 73--89, 2015.

[10]

D. Bogdanas. Dperm: Assisting the migration of android apps to runtime permissions. CoRR, abs/1706.05042, 2017.

[11]

T. Book, A. Pridgen, and D. S. Wallach. Longitudinal analysis of android ad library permissions. CoRR, abs/1303.0857, 2013.

[12]

S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, A.-R. Sadeghi, and B. Shastry. Towards taming privilege-escalation attacks on android. In NDSS 2012: 19th Annual Symposium on Network and Distributed System Security, 2012.

[13]

P. Calciati and A. Gorla. How do apps evolve in their permission requests? a preliminary study. In MSR 2017: 14th International Conference on Mining Software Repositories, pages 37--41, 2017.

Digital Library

[14]

P. Calciati, K. Kuznetsov, B. Xue, and A. Gorla. What did really change with the new release of the app? In MSR 2018: 15th International Conference on Mining Software Repositories, pages 142--152, 2018.

Digital Library

[15]

S. R. Choudhary, A. Gorla, and A. Orso. Automated test input generation for android: Are we there yet? In ASE 2015: Proceedings of the 30th Annual International Conference on Automated Software Engineering, pages 429--440. IEEE Computer Society, 2015.

Digital Library

[16]

E. Derr, S. Bugiel, S. Fahl, Y. Acar, and M. Backes. Keep me updated: An empirical study of third-party library updatability on android. In CCS 2017: Proceedings of the 24th ACM Conference on Computer and Communications Security, pages 2187--2200, 2017.

Digital Library

[17]

D. Domínguez-Álvarez and A. Gorla. Release practices for ios and android apps. In WAMA 2019: Proceedings of the 4nd International Workshop on App Market Analytics, pages 15--18, 2019.

Digital Library

[18]

Z. Fang, W. Han, and Y. Li. Permission based android security: Issues and countermeasures. Computers & Security, 43:205--218, 06 2014.

[19]

A. Feal, P. Calciati, N. Vallina-Rodriguez, C. Troncoso, and A. Gorla. Angel or devil? a privacy study of mobile parental control apps. In The 20th Privacy Enhancing Technologies Symposium (PoPETs 2020.2), pages 314--335, July 2020.

[20]

A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In CCS 2011: Proceedings of the 18th ACM Conference on Computer and Communications Security, pages 627--638, 2011.

Digital Library

[21]

A. P. Felt, S. Egelman, M. Finifter, D. Akhawe, and D. Wagner. How to ask for permission. In USENIX HotSec 2012: Proceedings of the 7th USENIX Workshop on Hot Topics in Security, 2012.

[22]

A. P. Felt, S. Egelman, and D. Wagner. I've got 99 problems, but vibration ain't one: A survey of smartphone users' concerns. In SPSM 2012: Proceedings of the 2nd ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pages 33--44, 2012.

Digital Library

[23]

A. P. Felt, E. Ha, S. Egelman, A. Haney, E. Chin, and D. Wagner. Android permissions: User attention, comprehension, and behavior. In SOUPS 2012: Proceedings of the Eighth Symposium on Usable Privacy and Security, pages 1--14, 2012.

Digital Library

[24]

J. Gamba, M. Rashed, A. Razaghpanah, J. Tapiador, and N. Vallina-Rodriguez. An analysis of pre-installed android software. In IEEE S&P: 2020 IEEE Symposium on Security and Privacy, 2020.

[25]

D. He, L. Li, L. Wang, H. Zheng, G. Li, and J. Xue. Understanding and detecting evolution-induced compatibility issues in android apps. In ASE 2018: Proceedings of the 33rd IEEE/ACM International Conference on Automated Software Engineering, pages 167--177, 2018.

Digital Library

[26]

G. Hecht, O. Benomar, R. Rouvoy, N. Moha, and L. Duchien. Tracking the software quality of android applications along their evolution. In ASE 2015: Proceedings of the 30th Annual International Conference on Automated Software Engineering, pages 236--247, Washington, DC, USA, 2015.

Digital Library

[27]

J. Huang, X. Zhang, L. Tan, P. Wang, and B. Liang. AsDroid: detecting stealthy behaviors in Android applications by user interface and program behavior contradiction. In ICSE 2014: Proceedings of the 36th International Conference on Software Engineering, pages 1036--1046, 2014.

Digital Library

[28]

K. Kuznetsov, V. Avdiienko, A. Gorla, and A. Zeller. Analyzing the user interface of android apps. In Mobile Soft 2018: Proceedings of the 5th IEEE/ACM International Conference on Mobile Software Engineering and Systems, pages 84--87, 2018.

Digital Library

[29]

M. Nayebi, K. Kuznetsov, P. Chen, A. Zeller, and G. Ruhe. Anatomy of functionality deletion: An exploratory study on mobile apps. In MSR 2018: 15th International Conference on Mining Software Repositories, pages 243--253, 2018.

Digital Library

[30]

Y. Y. Ng, H. Zhou, Z. Ji, H. Luo, and Y. Dong. Which android app store can be trusted in china? In COMPSAC 2014: Proceedings of the he 38th Annual International Computers, Software & Applications Conference, pages 509--518, 2014.

Digital Library

[31]

D. C. Nguyen, E. Derr, M. Backes, and S. Bugiel. Short text, large effect: Measuring the impact of user reviews on android app security & privacy. In IEEE S&P: 2019 IEEE Symposium on Security and Privacy, 2019.

[32]

A. Razaghpanah, R. Nithyanand, N. Vallina-Rodriguez, S. Sundaresan, M. Allman, C. Kreibich, and P. Gill. Apps, trackers, privacy, and regulators: A global study of the mobile tracking ecosystem. In NDSS 2018: 25th Annual Symposium on Network and Distributed System Security, 2018.

[33]

J. Reardon, Á. Feal, P. Wijesekera, A. E. B. On, N. Vallina-Rodriguez, and S. Egelman. 50 ways to leak your data: An exploration of apps' circumvention of the android permissions system. In USENIX Security: 28th USENIX Security Symposium, pages 603--620, 2019.

[34]

J. Ren, M. Lindorfer, D.J. Dubois, A. Rao, D. Choffnes, and N. Vallina-Rodriguez. Bug fixes, improvements, ... and privacy leaks. In NDSS 2018: 25th Annual Symposium on Network and Distributed System Security, 2018.

[35]

J. Rubin, M. I. Gordon, N. Nguyen, and M. Rinard. Covert communication in mobile applications. In ASE2015, page 647--657.

[36]

A. Sadeghi, R. Jabbarvand, N. Ghorbani, H. Bagheri, and S. Malek. A temporal permission analysis and enforcement framework for android. In ICSE 2018: Proceedings of the 40th International Conference on Software Engineering, pages 846--857, 2018.

Digital Library

[37]

A. Sadeghi, R. Jabbarvand, and S. Malek. Patdroid: Permission-aware gui testing of android. In ESEC/FSE 2017: The 25th joint meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, pages 220--232, 2017.

Digital Library

[38]

D. Smullen, Y. Feng, S. A. Zhang, and N. Sadeh. The best of both worlds: Mitigating trade-offs between accuracy and user burden in capturing mobile app privacy preferences. PETS, 2020(1):195--215, 2020.

[39]

R. Stevens, J. Ganz, V. Filkov, P. Devanbu, and H. Chen. Asking for (and about) permissions used by android apps. In MSR 2013: 10th Working Conference on Mining Software Repositories, pages 31--40, 2013.

Digital Library

[40]

V. F. Taylor and I. Martinovic. To update or not to update: Insights from a two-year study of android app evolution. In ASIACCS 2017: Proceedings of the ACM Asia Conference on Computer and Communications Security, pages 45--57, 2017.

Digital Library

[41]

G. S. Tuncay, S. Demetriou, K. Ganju, and C. A. Gunter. Resolving the predicamentof android custom permissions. In NDSS 2018: 25th Annual Symposium on Network and Distributed System Security, 2018.

[42]

R. Vallée-Rai, P. Co, E. Gagnon, L. Hendren, P. Lam, and V. Sundaresan. Soot - a Java bytecode optimization framework. In CASCON '99: Proceedings of the 1999 conference of the Centre for Advanced Studies on Collaborative research, pages 13--23, 1999.

Digital Library

[43]

H. Wang, H. Li, L. Li, Y. Guo, and G. Xu. Why are android apps removed from google play?: A large-scale empirical study. In MSR 2018: 15th International Conference on Mining Software Repositories, pages 231--242, 2018.

Digital Library

[44]

X. Wei, L. Gomez, I. Neamtiu, and M. Faloutsos. Permission evolution in the android ecosystem. In ACSAC 2012: Proceedings of the 28th Annual Computer Security Applications Conference, pages 31--40, 2012.

Digital Library

[45]

J. Zhang, S. Sagar, and E. Shihab. The evolution of mobile apps: An exploratory study. In DeMobile 2013: 1st international Workshop on Software Development Lifecycle for Mobile, pages 1--8, 2013.

Digital Library

[46]

Y. Zhou and X. Jiang. Detecting passive content leaks and pollution in android applications. In NDSS 2013: 20th Annual Symposium on Network and Distributed System Security, 2013.

[47]

Y. Zhou, Z.Wang, W. Zhou, and X.Jiang. Hey, you, get off of my market: Detecting malicious apps in official and alternative Android markets. In NDSS 2012: 19th Annual Symposium on Network and Distributed System Security, 2012.

Cited By

Oishwee SCodabux ZStakhanova N(2024)Decoding Android Permissions: A Study of Developer Challenges and Solutions on Stack OverflowProceedings of the 18th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement10.1145/3674805.3686676(143-153)Online publication date: 24-Oct-2024
https://dl.acm.org/doi/10.1145/3674805.3686676
Barzolevskaia ABranca EStakhanova N(2024)Measuring and Characterizing (Mis)compliance of the Android Permission SystemIEEE Transactions on Software Engineering10.1109/TSE.2024.336292150:4(742-764)Online publication date: 12-Feb-2024
https://dl.acm.org/doi/10.1109/TSE.2024.3362921
Kanungo KKhatoliya RArora VBari ABhattacharya AMaity MChakravarty S(2024)How Many Hands in the Cookie Jar? Examining Privacy Implications of Popular Apps in India2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00046(741-757)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSP60621.2024.00046
Show More Cited By

Index Terms

Automatically Granted Permissions in Android apps: An Empirical Study on their Prevalence and on the Potential Threats for Privacy

Index terms have been assigned to the content through auto-classification.

Recommendations

Android permissions demystified
CCS '11: Proceedings of the 18th ACM conference on Computer and communications security

Android provides third-party applications with an extensive API that includes access to phone hardware, settings, and user data. Access to privacy- and security-relevant parts of the API is controlled with an install-time application permission system. ...
Android permissions: user attention, comprehension, and behavior
SOUPS '12: Proceedings of the Eighth Symposium on Usable Privacy and Security

Android's permission system is intended to inform users about the risks of installing applications. When a user installs an application, he or she has the opportunity to review the application's permission requests and cancel the installation if the ...
Pro Android Web Apps: Develop for Android using HTML5, CSS3 & JavaScript

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

MSR '20: Proceedings of the 17th International Conference on Mining Software Repositories

June 2020

675 pages

ISBN:9781450375177

DOI:10.1145/3379597

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

In-Cooperation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 September 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Conference

MSR '20

Sponsor:

SIGSOFT

MSR '20: 17th International Conference on Mining Software Repositories

June 29 - 30, 2020

Seoul, Republic of Korea

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

23
Total Citations
View Citations
503
Total Downloads

Downloads (Last 12 months)79
Downloads (Last 6 weeks)12

Reflects downloads up to 25 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Oishwee SCodabux ZStakhanova N(2024)Decoding Android Permissions: A Study of Developer Challenges and Solutions on Stack OverflowProceedings of the 18th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement10.1145/3674805.3686676(143-153)Online publication date: 24-Oct-2024
https://dl.acm.org/doi/10.1145/3674805.3686676
Barzolevskaia ABranca EStakhanova N(2024)Measuring and Characterizing (Mis)compliance of the Android Permission SystemIEEE Transactions on Software Engineering10.1109/TSE.2024.336292150:4(742-764)Online publication date: 12-Feb-2024
https://dl.acm.org/doi/10.1109/TSE.2024.3362921
Kanungo KKhatoliya RArora VBari ABhattacharya AMaity MChakravarty S(2024)How Many Hands in the Cookie Jar? Examining Privacy Implications of Popular Apps in India2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00046(741-757)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSP60621.2024.00046
Akter MTabassum MMiazi NAlghamdi LKropczynski JWisniewski PLipford HKelley PKapadia A(2023)Evaluating the impact of community oversight for managing mobile privacy and securityProceedings of the Nineteenth USENIX Conference on Usable Privacy and Security10.5555/3632186.3632210(437-456)Online publication date: 7-Aug-2023
https://dl.acm.org/doi/10.5555/3632186.3632210
Vlachos VStamatiou YNikoletseas S(2023)The Privacy Flag Observatory: A Crowdsourcing Tool for Real Time Privacy Threats EvaluationJournal of Cybersecurity and Privacy10.3390/jcp30100033:1(26-43)Online publication date: 29-Jan-2023
https://doi.org/10.3390/jcp3010003
Bitton RMaman NSingh IMomiyama SElovici YShabtai A(2023)Evaluating the Cybersecurity Risk of Real-world, Machine Learning Production SystemsACM Computing Surveys10.1145/355910455:9(1-36)Online publication date: 16-Jan-2023
https://dl.acm.org/doi/10.1145/3559104
Senanayake JKalutarage HAl-Kadri MPetrovski APiras L(2023)Android Source Code Vulnerability Detection: A Systematic Literature ReviewACM Computing Surveys10.1145/355697455:9(1-37)Online publication date: 16-Jan-2023
https://dl.acm.org/doi/10.1145/3556974
Liatifis ASarigiannidis PArgyriou VLagkas T(2023)Advancing SDN from OpenFlow to P4: A SurveyACM Computing Surveys10.1145/355697355:9(1-37)Online publication date: 16-Jan-2023
https://dl.acm.org/doi/10.1145/3556973
Park EStorey V(2023)Emotion Ontology Studies: A Framework for Expressing Feelings Digitally and its Application to Sentiment AnalysisACM Computing Surveys10.1145/355571955:9(1-38)Online publication date: 16-Jan-2023
https://dl.acm.org/doi/10.1145/3555719
Akter MAlghamdi LKropczynski JLipford HWisniewski P(2023)It Takes a Village: A Case for Including Extended Family Members in the Joint Oversight of Family-based Privacy and Security for Mobile SmartphonesExtended Abstracts of the 2023 CHI Conference on Human Factors in Computing Systems10.1145/3544549.3585904(1-7)Online publication date: 19-Apr-2023
https://dl.acm.org/doi/10.1145/3544549.3585904
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten